Package TWiki::LoginManager

The package is also a Factory for login managers and also the base class
for all login managers.

On its own, an object of this class is used when you specify 'none' in
the security setup section of
configure. When it is used,
logins are not supported. If you want to authenticate users then you should
consider TemplateLogin or ApacheLogin, which are subclasses of this class.

If you are building a new login manager, then you should write a new subclass
of this class, implementing the methods marked as VIRTUAL. There are already
examples in the lib/TWiki/LoginManager directory.

The class has extensive tracing, which is enabled by
$TWiki::cfg{Trace}{LoginManager.pm}. The tracing is done in such a way as to
let the perl optimiser optimise out the trace function as a no-op if tracing
is disabled.

Here's an overview of how it works:

Early in TWiki::new, the login manager is created. The creation of the login
manager does two things:

If sessions are in use, it loads CGI::Session but doesn't initialise the session yet.

Creates the login manager object

Slightly later in TWiki::new, loginManager->loadSession is called.

Calls loginManager->getUser to get the username before the session is created

reads the TWIKISID cookie to get the SID (or the TWIKISID parameters in the CGI query if cookies aren't available, or IP2SID mapping if that's enabled).

Creates the CGI::Session object, and the session is thereby read.

If the username still isn't known, reads it from the cookie. Thus TWiki::LoginManager::ApacheLogin overrides the cookie using REMOTE_USER, and TWiki::LoginManager::TemplateLogin always uses the session.

Later again in TWiki::new, plugins are given a chance to override the username
found from the loginManager.

The last step in TWiki::new is to find the user, using whatever user mapping
manager is in place.

sub createCryptToken ( $session )-> $token
Takes the input as session and returns the MD5 hash string.
This subroutine is responsible for updating the token database

The tokens solve the CSRF issue

sub cleanCryptTokens($session, $token)

This subroutine takes care of cleaning used tokens
Usually called from token verification subroutines.

sub addCryptTokeninForm ( )-> returns the form with "crypttoken" html
input hidden field

If TWiki Application developer has added "crypttoken" then the current subroutine
returns the form without performing any parsing.
If the form with method - POST do not have any "crypttoken", this subroutine
adds the token.